VDB
CVE-2021-32052
CVE-2021-32052
PUBLISHED
In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers.
EPSS 1.86% · 83.4th percentile
Risk Scores
EPSS Score
1.86%
83.4th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bitnami | django | 2.2.0, 3.1.0, 3.2.0 |
| Bitnami | django | 3.1.0, 3.2.0, 2.2.0 |
Exploit Intelligence
- CVE-2017-17485:Jackson-databind RCE (github-poc)
- CVE-2017-17485:Jackson-databind RCE (github-poc)
- CVE-2017-17485:Jackson-databind RCE (github-poc)
- CVE-2017-17485:Jackson-databind RCE (github-poc)
- CVE-2017-17485:Jackson-databind RCE (github-poc)
- CVE-2017-17485:Jackson-databind RCE (github-poc)
- CVE-2017-17485:Jackson-databind RCE (github-poc)
- CVE-2017-17485:Jackson-databind RCE (github-poc)
- CVE-2017-17485:Jackson-databind RCE (github-poc)
- CVE-2017-17485:Jackson-databind RCE (github-poc)
…and 684 more exploits
Timeline
- May 6, 2021 CVE Published
- May 7, 2021 EPSS Score
- Jul 10, 2021 EPSS Score
- Nov 11, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Mar 15, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- Jul 18, 2022 EPSS Score
- Sep 17, 2022 EPSS Score
- Jan 19, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
References
- http://www.openwall.com/lists/oss-security/2021/05/06/1 url
- https://docs.djangoproject.com/en/3.2/releases/security/ url
- https://groups.google.com/forum/#%21forum/django-announce url
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/ url
- https://security.netapp.com/advisory/ntap-20210611-0002/ url
- https://www.djangoproject.com/weblog/2021/may/06/security-releases/ url
- https://nvd.nist.gov/vuln/detail/CVE-2021-32052 url